Method and associated device for generating random numbers at a given interval in time

ABSTRACT

The invention relates to a cryptographic method wherein a random number generator producing random numbers S i  whose size N is fixed between 0 and W-1 is used to produce a random number R between 0 and a predefined limiter K. According to the invention: E 31 : a random variable Si is produced, ranging from 0-W-1, E 32 : if the random variable S i  is strictly lower than a coefficient K i  of the limiter K in base W, the coefficient R i  of order i of the random number R is equal to the random number S i  then, for all orders j which are lower than i, a random variable S j  of 0-W-1 is produced and R j =S j . E 33 : unless, if said random variable is greater than coefficient K i  of position i of the limiter K is base W, whereupon said coefficient R i  is determined on the basis of the random variable Si of order i according to a predetermined function, then a coefficient R i-1  is determined for the random number R of order i-1 which is immediately lower by repeating stages E 31 -E 33 . The invention also relates to an electronic component which is adapted for implementation of said method and a chip card with said component integrated therein. The invention can be applied to cryptographic calculation.

This disclosure is based upon French Application No. 0312435 filed Oct.24, 2003 and International Application No. PCT/FR2004/050510, filed Oct.18, 2004, the contents of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

The invention concerns a method of obtaining a random number between Aand B from a generator producing random numbers lying between 0 and W-1,with N the size of the numbers produced by the generator, W-1 themaximum value taken by the random numbers produced, with for exampleW=2^(N) and A, B any integer numbers, less than or greater than thenumber W.

Such a situation occurs for example in an electronic component adaptedto perform cryptographic calculations and comprising an N-bit randomnumber generator, for example N=8. The random numbers that it canproduce are thus between 0 and W-1=255, whilst it would be desirable tohave random numbers between for example 0 and 100 or between 300 and10000. It should be noted that it suffices to determine numbers between0 and 9700 and then to add 300 to the number obtained in order finallyto obtain a number between 300 and 10000.

Such a situation is found in practice in the majority of cryptographicapplications, for example the DSA signature, the El Gamal signature orenciphering, the development of countermeasures against various attacks,etc.

Several methods are already known for producing random numbers R between0 and K from numbers between 0 and W-1. These methods are in generalimplemented by software means used to control on the one hand a hardwaregenerator that produces random numbers of size N and on the other handcalculation means performing in particular multiplication, addition, etcoperations.

A first known method comprises the following steps:

a) determining the smallest integer number p such that K≦WP-1,

b) producing p random numbers S₀, S, . . . , S_(p-1) and forming thevariable $S = {\sum\limits_{i = 0}^{p - 1}{S_{i}*W^{i}}}$

-   -   c) if S>K, then returning to step b), otherwise putting R=S

R is the random number sought, between 0 and K. The equation$S = {\sum\limits_{i = 0}^{p - 1}{S_{i}*W^{i}}}$is a representation of the variable S decomposed/recomposed in base(W^(p-1), . . . , W¹, W⁰). It would also be possible to noteS=S_(p-1)S_(p-2) . . . S₁S₀, a notation commonly used.

A second known method comprises the following steps:

a) determining the smallest integer number p such that K≦WP-1,

b) producing p random numbers S₀, S, . . . , S_(p-1) and forming thevariable$T = {{\sum\limits_{i = 0}^{p - 2}{S_{i}*W^{i}\quad{and}\quad S}} = {T + {S_{p - 1}*W^{p - 1}}}}$

c) if S>K, putting R=T otherwise putting R=S

A third known method comprises the following steps:

a) determining the smallest integer p such that K≦WP-1,

b) producing p random numbers S₀, S, . . . , S_(p-1) and forming thevariable $S = {\sum\limits_{i = 0}^{p - 1}{S_{i}*W^{i}}}$

c) putting R=S mod(K+1), that is to say the remainder of thewhole-number division of S by K+1, also referred to as modular reductionof S by K+1.

These three methods can be summarised by the following steps:

a) producing p random numbers S₀, S, . . . , S_(p-1), being the smallestinteger number such that K≅W P-1 and forming the variable$S = {\sum\limits_{i = 0}^{p - 1}{S_{i}*W^{i}}}$

b) determining the random number R from the variable S.

According to circumstances, during step b, R is obtained from S byrepeating step b (first method), taking account or not of the additionalrandom number S_(p-1) (second method) or performing a modular reduction(third method).

It should be noted that, in the three methods, if a number between A andK+A is required, it suffices to add A to the number R obtained lyingbetween 0 and K.

The main drawback of the first method is a particularly long andespecially unpredictable calculation time: the step of producing the prandom numbers may be repeated numerous times without it being possibleto predict at the start the number of repetitions of this step.

The second and third methods have the main drawback of producing randomnumbers exhibiting a bias: amongst the numbers R produced in the range[0, K], certain values are more probable than others. In other words,the numbers R produced are not perfectly random (non-uniformdistribution). This bias may have significant consequences on thesecurity of the cryptographic systems liable to implement these methods.The security of cryptographic systems assumes in fact that the randomnumbers that they use are uniformly distributed (or at least close to auniform distribution) in the range [0, K] or [A, K+A] wished for.

Finally, the three methods are slow overall because they implementoperations on large numbers, of size N (in the sense of the number ofbits) greater than the size of the circuits used for the implementation.This is because the number K in particular is any number and can begreater than W and therefore of size greater than N. The variable S canalso be of large size. However, the implementation of operations onlarge numbers requires the implementation of complex methods expensivein terms of calculation time.

DESCRIPTION OF THE INVENTION

An essential object of the invention is to propose a method ofconstructing a random number R that is particularly rapid.

Thus the invention proposes a cryptographic method during which use ismade of a random number generator producing random numbers S_(i) of sizeN fixed between 0 and W-1, with for example but not necessarily W=2^(N),in order to produce a random number R between 0 and a predefined limiterK.

The essential steps of a method according to the invention are asfollows:

E31: a random variable S_(i) between 0 and W-1 is produced,

E32: if the random variable S_(i) is strictly less than a coefficientK_(i) of the limiter K in base W, then the coefficient R_(i) of rank iof the random number R is equal to the random variable S_(i) and then,for any rank J less than i, a random variable S_(j) between 0 and W-1 isproduced and R_(j)=S_(j),

E33: otherwise, if the said random variable is greater than thecoefficient K_(i) of rank i of the limiter K in base W, then the saidcoefficient R_(i) is determined from the random variable S_(i) of rank iaccording to a predetermined function, and then the coefficient R_(i-1)is determined for the random number R of rank i-1 that is immediatelylower by repeating steps E31 to E33.

Thus, in a method according to the invention, the coefficients R_(i) ofthe random number R required are sought one by one, commencing with themost significant coefficient R_(p-1). The physical generator of randomnumbers used thus produces random variables S_(i) one by one, onevariable at each iteration.

In addition, the method is rapid since step E33 is executed a smallnumber of times. This is because, as soon as one of the variables Siproduced by the physical generator is less than the associatedcoefficient Ki of the limiter K, the method no longer requires theprocessing of the variables Sj of rank less than i: thus a small numberof coefficients of the number R, the most significant, are calculatedthe most often.

Finally, compared with the known methods, a method according to theinvention has the advantage of working on numbers of no more than Nbits, N being the size of the registers and other calculation circuitsof the devices used for implementation. For example, if W is equal toS^(N), the coefficients K_(i) resulting from the decomposition of K inbase (W^(p-1), . . . W¹, W⁰) are necessarily less than W and thereforewith a size of no more than N bits. Likewise, the random variables S_(i)produced by the physical random number generator are also of N bits.

By adding to the essential steps an initialisation step and a step ofrecombination of the random number R, there are obtained:

E1: the limiter K is decomposed in base (W^(p-1), W^(p-2) . . . , W⁰)$\left( {K = {{\sum\limits_{i = 0}^{p - 1}{K_{i}*W^{i}\quad{or}\quad K}} = {K^{p - 2}\ldots\quad K^{1}K^{0}}}} \right),$i being a loop index, K_(i) being a coefficient of the limiter K of ranki between 0 and W-1 and p being the degree of the limiter K,

E2: a Boolean variable f is initialised to TRUE,

E3: the following operations are performed, in a loop indexed by i, ibeing an integer varying between p-1 and 0:

E31: a random variable Si between 0 and W0-1 is produced,

E32: if the random variable S_(i) is strictly less than the coefficientK_(i) of rank i, then the Boolean variable f is set to FALSE,

E33_1: if the random variable Si is strictly greater than thecoefficient Ki of rank i and the Boolean variable f is TRUE, then thecoefficient R_(i) of rank i is determined from the random variable S_(i)of rank i according to a predefined function,

E33_2: otherwise R_(i)=S_(i)

E34: the loop indexed i is decremented,

E4: the random number R is determined by recombination of the randomcoefficients R_(i) in base${W\left( {R = {\sum\limits_{i = 0}^{p - 1}{R_{i}*W^{i}\quad{or}\quad R^{p - 1}\ldots\quad R^{1}R^{0}}}} \right)}.$

In concrete terms, as soon as the Boolean variable f is positioned atFALSE, it remains at this value since provision is not made forrepositioning it at the value TRUE, except when E2 of the method isinitialised. Step E32 is executed only if the variable f is TRUE; thus,as soon as the variable f is positioned at the value FALSE, step E33_1is no longer executed and the method according to the invention endsrapidly.

A second objective of the invention is to propose a method ofconstructing random numbers whose distribution is uniform or can be madeas close as desired to a uniform distribution. This objective isachieved by choosing a suitable function for the determination of thecoefficient R_(i) from the random variable S_(i).

According to a first embodiment of the method according to theinvention, in order to determine the coefficient R_(i) of rank i fromthe random variable S_(i) of rank i (step E33_1), the following substepsare performed:

E33_11: if the random variable S_(i) is strictly greater than thecoefficient K_(i) of the limiter K, then a new random variable S_(i) isproduced,

E33_12: step E33_11 is repeated until the random variable S_(i) is lessthan the coefficient K_(i) of the limiter K, and then the coefficientR_(i) is equalised to the random variable S_(i).

In such an embodiment, all the coefficients R_(i) obtained are numbersdirectly produced by the hardware random number generator; and thesecoefficients are therefore perfect and the number R which resultstherefrom is also perfect. In other words the distribution obtained ofthe numbers R is uniform in the range [0, K].

According to a second embodiment, during step E33 the coefficient R_(i)of rank i is chosen so as to be equal to part of the random variableS_(i), a part less than the coefficient K_(i). The said partcorresponding in one example to a limited number of bits of the variableS_(i).

According to a third embodiment, during step E33 the random variable Siis reduced modulo Ki+1, the results of the reduction being thecoefficient Ri sought.

These latter two embodiments are rapid compared with the known methods,essentially because the work is done on small numbers. The distributionsof random numbers obtained are however not uniform: the simple fact oftruncating the variable S_(i) or performing a reduction modulo K_(i+1)necessarily introduces a bias. However, this bias is less compared withthe methods of the prior art.

Moreover, it is possible to reduce the bias of the methods according tothe second and third embodiments proposed, as will be seen below.

In a method according to the invention as described above, a randomnumber R is constructed less than K from variables S_(i) of size Nproduced by a perfectly random physical generator. The number R obtainedis biased, but the bias is small compared with a known method.

For this, in the second or third embodiment, a coefficient R_(i)≦K_(i)is constructed, in particular during step E33_1, from variables S_(i) ofsize N. In order to reduce the bias introduced on the coefficient R_(i),it is proposed to construct it using the same steps El to E3 as forconstructing the number R. In a sense, two similar methods are“interleaved”. This makes it possible to reduce further the size of thenumbers on which the work is carried out, and consequently to reducefurther the bias on the coefficient of R, and on the final number R.

In concrete terms, in order to determine the coefficient R_(i) of rank ifrom the random variable S_(i) of rank i (step E33_1), steps E1 to E4are executed using a base (β^(q-1), . . . , β⁰) as the calculation base,β being an integer number strictly less than W and q being the degree ofK_(i) in base β.

Step E33 is thus broken down into the following substeps:

E33_41: the coefficient K_(i) of rank i of the q-1 limiter K in base(β^(q-1), . . . , β⁰)$\left( {K_{1} = {{\sum\limits_{j = 0}^{q - 1}{\left( K_{i} \right)_{j}*\beta^{j}\quad{or}\quad K_{i}}} = {\left( K_{i} \right)_{q - 1}\ldots\quad\left( K_{i} \right)_{1}\left( K_{i} \right)_{0}}}} \right),$j being a loop index, (K_(i))_(j) being a number between 0 and β-1 and qbeing a degree of the coefficient K_(i), is decomposed,

E33_42: a second Boolean variable g is initialised to TRUE,

E33_43: the following operations are performed, in a loop indexed by jvarying between q-1 and 0:

-   -   E33_431: a random variable (S_(i))_(j) between 0 and β-1 is        produced,    -   E33_432: if the random variable (S_(i))_(j) is strictly less        than the coefficient (K_(i))_(j), then the second Boolean        variable g is set to FALSE,    -   E33_4331: if the random variable (S_(i))_(j) is strictly greater        than the coefficient (K_(i))_(j) and the second Boolean variable        g is TRUE, then a coefficient (R_(i))_(j) is determined from the        random variable (S_(i))_(j) according to a predefined function,    -   E33_4332: otherwise, (R_(i))_(j)=(S_(i))_(j)    -   E33_434: the loop indexed j is decremented,

E33_44: the random number R_(i) is determined by recombination of therandom coefficients (R_(i))_(j) in base β$\left( {R_{1} = {{\sum\limits_{j\quad = \quad 0}^{q\quad - \quad 1}{\left( R_{i} \right)_{j}*\beta^{j}\quad{or}\quad R_{i}}} = {\left( R_{i} \right)_{q\quad - \quad 1}\quad\ldots\quad\left( R_{i} \right)_{1}\quad\left( R_{i} \right)_{0}}}} \right).$

As has just been seen above, by “interleaving” two methods, the bias ofthe random numbers R produced by the global method is reduced, whilstpreserving a rapid global method. It is of course possible to imagine“interleaving” more than two methods, for example three or four, bydecomposing, in step E33_43, the numbers in base γ<β, and decomposingstep E33_43 in a succession of steps similar to steps E33_41 to E33_43.

In general terms, the more methods are “interleaved”, the smaller thenumbers on which the work is carried out: the duration of each stepdecreases and the bias of the numbers produced by the global method alsodecreases.

Another object of the invention is an electronic component adapted forimplementing the method as described above. Such a component comprisesin particular a generator producing random numbers of size N, andcalculation circuits for performing operations on numbers of no morethan N bits.

According to the embodiment of the method to be implemented, thecalculation circuits are adapted to perform operations of comparing twonumbers, number truncation and modular reduction.

The random number generator and the calculation circuits are preferablycontrolled by a software means stored in a memory of the componentprovided for this purpose.

The invention also concerns a chip card comprising an electroniccomponent as described above.

1. A cryptographic method during which use is made of a random numbergenerator producing random numbers S_(i) of size N fixed between 0 andW-1, in order to produce a random number R between 0 and a predefinedlimiter K, wherein: E31: a random variable S_(i) between 0 and W-1 isproduced, E32: if the random variable S_(i) is strictly less than acoefficient K_(i) of the limiter K in base W, then the coefficient R_(i)of rank i of the random number R is equal to the random variable S_(i)and then, for any rank J less than i, a random variable S_(j) between 0and W-1 is produced and R_(j)=S_(j), E33: otherwise, if the said randomvariable is greater than the coefficient K_(i) of rank i of the limiterK in base W, then said coefficient R_(i) is determined from the randomvariable S_(i) of rank i according to a predetermined function, and thenthe coefficient R_(i-1) is determined for the random number R of ranki-1 that is immediately lower by repeating steps E31 to E33.
 2. A methodaccording to claim 1, during which the following steps are performed:E1: the limiter K is decomposed in base (W^(p-1), W^(p-2) . . . , W⁰) inthe form ${K = {\sum\limits_{i = 0}^{p - 1}{K_{i}*W^{i}}}},$ i being aloop index, K_(i) being a coefficient of the limiter K of rank i between0 and W-1 and p being the degree of the limiter K, E2: a Booleanvariable f is initialised to TRUE, E3: the following operations areperformed, in a loop indexed by i, i being an integer varying betweenp-1 and 0: E31: a random variable S_(i) between 0 and W-1 is produced,E32: if the random variable S_(i) is strictly less than the coefficientK_(i) of rank i, then the Boolean variable f is set to FALSE, E33_1: ifthe random variable S_(i) is strictly greater than the coefficient K_(i)of rank i and the Boolean variable f is TRUE, then the coefficient R_(i)of rank i is determined from the random variable S_(i) of rank iaccording to a predefined function, E33_2: otherwise R_(i)=S_(i) E34:the loop index i is decremented, E4: the random number R is determinedby recombination of the random coefficients R_(i) in base W according tothe equation: $R = {\sum\limits_{i = 0}^{p - 1}{R_{i}*{W^{i}.}}}$
 3. Amethod according to claim 2, during which, in order to determine thecoefficient R_(i) of rank i from the random variable S_(i) of rank i(steps E33_1 and E33_2), the following substeps are performed: E33_11:if the random variable S_(i) is strictly greater than the coefficientK_(i) of the limiter K, then a new random variable S_(i) is produced,E33_12: step E33_11 is repeated until the random variable S_(i) is lessthan the coefficient K_(i) of the limiter K, and then the coefficientR_(i) is equalised to the random variable S_(i).
 4. A method accordingto claim 2, during which the coefficient R_(i) of rank i is chosen(steps E33-1 and E33_2) equal to the part of the random variable S_(i),the part less than the coefficient K_(i), said part corresponding to alimited number of bits of the variable S_(i).
 5. A method according toclaim 2, during which, in order to determine the coefficient R_(i) ofrank i from the random variable S_(i) of rank i (step E33), the randomvariable S_(i) is reduced modulo K_(i)+1, the result of the reductionbeing the coefficient sought.
 6. A method according to claim 2, duringwhich, in order to determine the coefficient R_(i) of rank i from therandom variable S_(i) of rank i (step E33), steps E1 to E4 are executedusing a base (β^(q-1), . . . , β⁰) as the calculation base, β being aninteger strictly less than W and q being the degree of k in case β.
 7. Amethod according to claim 6, in which step E33 is broken down into thefollowing substeps: E33_41: the coefficient K_(i) of rank i of thelimiter K in base (β^(q-1), . . . , β⁰) in the form${K_{1} = {\sum\limits_{j = 0}^{q - 1}{\left( K_{i} \right)_{j}*\beta^{j}}}},$j being a loop index, (K_(i))_(j) being a number between 0 and β-1 and qbeing a degree of the coefficient K_(i), is decomposed, E33_42: a secondBoolean variable g is initialised to TRUE, E33_43: the followingoperations are performed, in a loop indexed by j varying between q-1 and0: E33_431: a random variable (S_(i))_(j) between 0 and p-1 is produced,E33_432: if the random variable (S_(i))_(j) is strictly less than thecoefficient (K_(i))_(j), then the second Boolean variable g is set toFALSE, E33_4331: if the random variable (S_(i))_(j) is strictly greaterthan the coefficient (K_(i))_(j) and the second Boolean variable g isTRUE, then a coefficient (R_(i))_(j) is determined from the randomvariable (S_(i))_(j) according to a predefined function, E33-4332:otherwise, (R_(i))_(j)=(S_(i))_(j) E33_434: the loop index j isdecremented, E33_44: the random number R_(i) is determined byrecombination of the random coefficients (R_(i))_(j) in base β accordingto the equation:$R_{1} = {\sum\limits_{j = 0}^{q - 1}{\left( R_{i} \right)_{j}*{\beta^{j}.}}}$8. An electronic component comprising a generator of random numbers ofsize N, calculation circuits performing in particular a comparison, atruncation and/or a modular reduction on numbers of no more than N bits,and a means of controlling the random number generator and calculationcircuits, said control means being adapted for implementing a methodaccording to claim
 1. 9. A chip card comprising an electronic componentaccording to claim
 1. 10. A method according to claim 3, during which,in order to determine the coefficient R_(i) of rank i from the randomvariable S_(i) of rank i (step E33), steps E1 to E4 are executed using abase (β^(q-1), . . . , β⁰) as the calculation base, β being an integerstrictly less than W and q being the degree of k in case β.
 11. A methodaccording to claim 4, during which, in order to determine thecoefficient R_(i) of rank i from the random variable S_(i) of rank i(step E33), steps E1 to E4 are executed using a base (β^(q-1), . . . ,β⁰) as the calculation base, β being an integer strictly less than W andq being the degree of k in case β.
 12. A method according to claim 5,during which, in order to determine the coefficient R_(i) of rank i fromthe random variable S_(i) of rank i (step E33), steps E1 to E4 areexecuted using a base (β^(q-1), . . . , β⁰) as the calculation base, βbeing an integer strictly less than W and q being the degree of k incase β.
 13. An electronic component comprising a generator of randomnumbers of size N, calculation circuits performing in particular acomparison, a truncation and/or a modular reduction on numbers of nomore than N bits, and a means of controlling the random number generatorand calculation circuits, the said control means being adapted forimplementing a method according to claim
 2. 14. An electronic componentcomprising a generator of random numbers of size N, calculation circuitsperforming in particular a comparison, a truncation and/or a modularreduction on numbers of no more than N bits, and a means of controllingthe random number generator and calculation circuits, the said controlmeans being adapted for implementing a method according to claim
 3. 15.An electronic component comprising a generator of random numbers of sizeN, calculation circuits performing in particular a comparison, atruncation and/or a modular reduction on numbers of no more than N bits,and a means of controlling the random number generator and calculationcircuits, the said control means being adapted for implementing a methodaccording to claim
 4. 16. An electronic component comprising a generatorof random numbers of size N, calculation circuits performing inparticular a comparison, a truncation and/or a modular reduction onnumbers of no more than N bits, and a means of controlling the randomnumber generator and calculation circuits, the said control means beingadapted for implementing a method according to claim
 5. 17. Anelectronic component comprising a generator of random numbers of size N,calculation circuits performing in particular a comparison, a truncationand/or a modular reduction on numbers of no more than N bits, and ameans of controlling the random number generator and calculationcircuits, the said control means being adapted for implementing a methodaccording to claim
 6. 18. An electronic component comprising a generatorof random numbers of size N, calculation circuits performing inparticular a comparison, a truncation and/or a modular reduction onnumbers of no more than N bits, and a means of controlling the randomnumber generator and calculation circuits, the said control means beingadapted for implementing a method according to claim 7.